Open-source News

Google today released Chrome 103 as the newest monthly feature update to its cross-platform web browser...

The State of Open Source Security Highlights Many Organizations Lacking Strategies to Address Application Vulnerabilities Arising from Code Reuse

BOSTON — June 21, 2022 — Snyk, the leader in developer security, and The Linux Foundation, a global nonprofit organization enabling innovation through open source, today announced the results of their first joint research report, The State of Open Source Security.

The results detail the significant security risks resulting from the widespread use of open source software within modern application development as well as how many organizations are currently ill-prepared to effectively manage these risks. Specifically, the report found:

• Over four out of every ten (41%) organizations don’t have high confidence in their open source software security;
• The average application development project has 49 vulnerabilities and 80 direct dependencies (open source code called by a project); and,
• The time it takes to fix vulnerabilities in open source projects has steadily increased, more than doubling from 49 days in 2018 to 110 days in 2021.

“Software developers today have their own supply chains – instead of assembling car parts,  they are assembling code by patching together existing open source components with their unique code. While this leads to increased productivity and innovation, it has also created significant security concerns,” said Matt Jarvis, Director, Developer Relations, Snyk. “This first-of-its-kind report found widespread evidence suggesting industry naivete about the state of open source security today. Together with The Linux Foundation, we plan to leverage these findings to further educate and equip the world’s developers, empowering them to continue building fast, while also staying secure.”

“While open source software undoubtedly makes developers more efficient and accelerates innovation, the way modern applications are assembled also makes them more challenging to secure,” said Brian Behlendorf, General Manager, Open Source Security Foundation (OpenSSF). “This research clearly shows the risk is real, and the industry must work even more closely together in order to move away from poor open source or software supply chain security practices.” (You can read the OpenSSF’s blog post about the report here)

Snyk and The Linux Foundation will be discussing the report’s full findings as well as recommended actions to improve the security of open source software development during a number of upcoming events:

• Session at Open Source Summit North America in Austin, TX, titled, “Addressing Cybersecurity Challenges in Open Source Software,” taking place Tuesday, June 21, at 12 p.m. local time (CT).
• Webinar taking place Tuesday, June 28, at 1 p.m. ET, to register, visit here.
• Webinar taking place Wednesday, June 29, at 9 a.m. ET, to register, visit here.

41% of Organizations Don’t Have High Confidence in Open Source Software Security

Modern application development teams are leveraging code from all sorts of places. They reuse code from other applications they’ve built and search code repositories to find open source components that provide the functionality they need. The use of open source requires a new way of thinking about developer security that many organizations have not yet adopted.

Further consider:

• Less than half (49%) of organizations have a security policy for OSS development or usage (and this number is a mere 27% for medium-to-large companies); and,
• Three in ten (30%) organizations without an open source security policy openly recognize that no one on their team is currently directly addressing open source security.

Average Application Development Project: 49 Vulnerabilities Spanning 80 Direct Dependencies

When developers incorporate an open source component in their applications, they immediately become dependent on that component and are at risk if that component contains vulnerabilities. The report shows how real this risk is, with dozens of vulnerabilities discovered across many direct dependencies in each application evaluated.

This risk is also compounded by indirect, or transitive, dependencies, which are the dependencies of your dependencies. Many developers do not even know about these dependencies, making them even more challenging to track and secure.

That said, to some degree, survey respondents are aware of the security complexities created by open source in the software supply chain today:

• Over one-quarter of survey respondents noted they are concerned about the security impact of their direct dependencies;
• Only 18% of respondents said they are confident of the controls they have in place for their transitive dependencies; and,
• Forty percent of all vulnerabilities were found in transitive dependencies.

Time to Fix: More Than Doubled from 49 Days in 2018 to 110 Days in 2021

As application development has increased in complexity, the security challenges faced by development teams have also become increasingly complex. While this makes development more efficient, the use of open source software adds to the remediation burden. The report found that fixing vulnerabilities in open source projects takes almost 20% longer (18.75%) than in proprietary projects.

About The Report

The State of Open Source Security is a partnership between Snyk and The Linux Foundation, with support from OpenSSF, the Cloud Native Security Foundation, the Continuous Delivery Foundation and the Eclipse Foundation. The report is based on a survey of over 550 respondents in the first quarter of 2022 as well as data from Snyk Open Source, which has scanned more than 1.3B open source projects.

About Snyk

Snyk is the leader in developer security. We empower the world’s developers to build secure applications and equip security teams to meet the demands of the digital world. Our developer-first approach ensures organizations can secure all of the critical components of their applications from code to cloud, leading to increased developer productivity, revenue growth, customer satisfaction, cost savings and an overall improved security posture. Snyk’s Developer Security Platform automatically integrates with a developer’s workflow and is purpose-built for security teams to collaborate with their development teams. Snyk is used by 1,500+ customers worldwide today, including industry leaders such as Asurion, Google, Intuit, MongoDB, New Relic, Revolut, and Salesforce.

About The Linux Foundation

The Linux Foundation is the organization of choice for the world’s top developers and companies to build ecosystems that accelerate open technology development and commercial adoption. Together with the worldwide open source community, it is solving the hardest technology problems by creating the largest shared technology investment in history. Founded in 2000, The Linux Foundation today provides tools, training and events to scale any open source project, which together deliver an economic impact not achievable by any one company. More information can be found at www.linuxfoundation.org.

The post New Research from Snyk and The Linux Foundation Reveals Significant Security Concerns Resulting from Open Source Software Ubiquity appeared first on Linux Foundation.

Counting the days on Linux  Network World

Evaluate PowerVS for a streamlined hybrid cloud environment  TechTarget

The PCI SIG today announced the PCI Express 7.0 specification that doubles the data rate to 128 GT/s and should be released to members in 2025...

To complement the AMD HIP, NVIDIA CUDA, and NVIDIA OptiX acceleration in Blender 3.2, Intel engineers are still hoping to have their Intel oneAPI SYCL support ready to premiere in Blender 3.3 for Intel GPU-based Cycles acceleration with Intel integrated and discrete graphics processors...

It's been known for a while that The Khronos Group and its Vulkan working group has been working on a cross-vendor extension for mesh shaders akin to what is offered already by Direct3D 12 and with NVIDIA by their VK_NV_mesh_shader extension. A few more details about the forthcoming Vulkan mesh shader support were detailed today...

KDE Plasma 5.25.1 Fixes Frustrating Linux Desktop Bugs a Week After Last Release  MUO - MakeUseOf

Linus Torvalds: After 30 years, Linux is not a dead project  VentureBeat

How to Undo & Redo in Linux Nano file Editor  Linux Shout

How to Convert a Video to GIF on Linux  MUO - MakeUseOf

Linux Foundation Announces Open Programmable Infrastructure Project  HPCwire

Open Source Community to Gather in LA for SCALE 19x  Linux Journal

RBC Joins the Open Invention Network To Protect Fintech From Looming Threat of Patent Trolls  The Fintech Times

500 Promising Individuals Worldwide Receive Linux Foundation IT Training & Certification Scholarships  Yahoo Finance

500 Promising Individuals Worldwide Receive Linux Foundation IT Training & Certification Scholarships  PR Newswire

SAN FRANCISCO—June 21, 2022—  Project Nephio, an open source initiative of partners across the telecommunications industry working towards true cloud-native automation , today announced rapid community growth and momentum.  

Since launching in April 2022 in partnership with Google Cloud, support has grown with 28 new organizations now part of the project (with over 50 contributing organizations), progress towards Technical Steering Committee (TSC) formation, and an upcoming Nephio Technical Summit, June 22-23, in Sunnyvale, Calif. New supporters include: A5G Networks, Alicon Sweden, Amdocs, ARGELA, CapGemini Technology, CIMI Corporation, Cohere Technologies, Coredge.io, CPQD, Deutsche Telekom, HPE, Keysight Technologies, KT, Kubermatic, Kydea, MantisNet, Matrixx, Minsait, Nabstract, Prodapt, Sandvine, SigScale, Spirent Communications, Telefónica, Tata Elxsi, TechMahidra, Verizon, Vodafone, Wind River, and Wipro. 

Nephio’s goal is to deliver carrier-grade, simple, open, Kubernetes-based cloud-native intent automation and common automation templates that materially simplify the deployment and management of multi-vendor cloud infrastructure and network functions across large scale edge deployments. Nephio enables faster onboarding of network functions to production including provisioning of underlying cloud infrastructure with a true cloud native approach, and reduces costs of adoption of cloud and network infrastructure.

“We are pleased to see Nephio experience such rapid growth in such a short time,” said Arpit Joshipura, general manager, Networking, Edge, and IoT, the Linux Foundation. “This is testament to the market need for open, collaborative initiatives that simplify network functions and cloud infrastructure across edge deployments.”

“We are heartened by the robust engagement from our growing Nephio community, and look forward to continuing to work together to set a new open standard for cloud-native networks to advance automation, network function deployment, and the management of user journeys,” said Gabriele Di Piazza, Senior Director, Telecom Product Management, Google Cloud.

Developer collaboration is underway with the Technical Steering Committee formation in progress. And the Nephio technical community will gather in-person and virtually for the first Nephio Technical Summit, June 22-23 in Sunnyvale, Calif. The goal is to discuss strategy, technology enhancements, roadmap, and operational aspects of cloud native automation in the Telecommunication world. More details, including how to register, are available here: https://nephio.org/events/. 

More information about Nephio is available at www.nephio.org. 

Support from contributing organizations

A5G Networks

“A5G Networks is a leader and innovator in autonomous and distributed mobile core network software over hybrid and multi-cloud. Our unique IP helps realize significant savings in capital and operating expenditures, reduces energy requirements, improves quality of user experience and catalyze adoption of new business models. A5G Networks is excited to join the Nephio initiative for intent based automation and unlock the true potential of 5G networks,” said Kaitki Agarwal, founder, president and CTO of A5G Networks, Inc.

Amdocs

“Amdocs is excited to join the Nephio community and accelerate the Telecom industry’s journey towards a cloud-native, Kubernetes-based, automation and orchestration solutions. As a leader in telco automation and a founding member of Linux  Foundation’s ONAP and EMCO projects, Amdocs is thrilled to join this new community that will address the challenges coming with the era of 5G, edge and ORAN,” said  Eyal Shaked, General Manager, Open Network PBU, Amdocs. 

Capgemini

“Capgemini is excited to join the Nephio community and join the Nephio working groups to facilitate the deployments of telecom operators by moving the Telecom industries towards a cloud-native platform and provide the automation and orchestration solutions with the help of Nephio. Capgemini is an expert in O-RAN standards and has FAPI compliant O-CU and O-DU implementations. Capgemini is thrilled to join this new community that will address the challenges coming with the era of 5G, edge and ORAN,” said Sandip Sarkar, senior director, CTO Organization, Capgemini.

CIMI Corporation

“The Nephio project promises to provide an open-source implementation of network operator service lifecycle automation based on the cloud-standard Kubernetes orchestration platform.  That’s absolutely critical for the convergence of network and cloud software,” said Tom Nolle, president, CIMI Corporation. 

Coreedge.io

Arif Khan, CEO, Coredge.iom said, “Bringing agility is delivering services and centrally managing the geographically distributed cloud, keeping cost in control is the key focus right now for operators. Nephio project is meant to achieve this with Kubernetes-based cloud-native intent automation and automation templates. We are glad to contribute to Nephio with our learnings in management of multi-cloud and distributed edge using intent driven automation inside the Coredge.”

Deutsche Telekom

“Large-scale automation is pivotal on our Software Telco journey. It is important that we work together as an industry on standards that will enable and simplify the cloud native automation of network functions. And we believe the Nephio project can play a fundamental role to speed up this process,” said Jochen Appel, VP Network Automation, Deutsche Telekom.

KT

“Cloud native is a next step on the journey of telcos’ path to successful digital transformation. Also the automated management to enable multi-vendor support and reduce cost by efficiency and agility is a key factor for operation of the cloud based network systems. The project Nephio will help open, wide, and easy adoption of such infrastructure. By co-working with partners in the project, we look forward to solving the interworking issues among multi-vendors and building up the efficient and agile orchestrated management system easily,” said Jongsik Lee, senior vice president, head of Infrastructure DX R&D Center, KT.

MantisNet

“MantisNet supports the Nephio initiative, specifically realizing the vision of autonomous networks. The Nephio project is complementary with the kinds of full-stack, end-to-end, programmable visibility, powered by an open, standards-based, event-driven, composable architecture that we are developing for a broad range of new and emerging use-cases to help ensure the secure and reliable operation of cloud-native 5G applications,”said  Peter Dougherty, CEO MantisNet. 

Matrixx Software

“Continued advancements in the automation of distributed Cloud Native Network Functions will be critical to delivering on the promises of new differentiated 5G services, and key to new industry revenue models,” said Marc Price, CTO, Matrixx Software. 

Minsait

“As a company helping Telcos to onboard their 5G network functions, we are aware of the current challenges they are facing. Nephio is a key initiative to fulfill the promises of truly cloud native deployment and operation that specifically addresses the unique pain points  of the Telco industry,” said Francisco Rodríguez, head of network virtualization at Minsait. 

Nabstract.io

“Harmonization and availability of common practices that facilitate intent driven automation for deployment and management of infrastructure and cloud native Network Functions will boost the consumption of 5G connectivity capabilities across market verticals through abstracted open APIs,” said Vaibhav Mehta, Founder, Nabstract.io.

Proadapt

“Prodapt is the leading SI for connectedness industry with a laser focus on software intensive networks. Together as a key contributor to the Project Nephios, we will jointly accelerate TelCo’s journey towards becoming a TechCo by co-innovating, -building, -deploying, and -operating distributed multi-cloud network functions. We believe our collaboration would set the foundation of a fully automated intent driven cloud-native networks supporting differentiated 5G & distributed edge experience,” said Rajiv Papneja, SVP & global head, Cloud & Network Services, Prodapt.

Sandvine

“Sandvine Application and Network Intelligence solutions provide machine learning-based 5G analytics over hybrid cloud, multicloud, and edge deployments, empowering service-providers and enterprise customers to analyze, optimize, and monetize application experiences. Sandvine is proud to be a part of the Nephio initiative for intent-based automation, a prelude to Network-as-a-Service offerings that will scale autonomously, even when comprised of different vendors’ Infrastructure/Platform/Software-aaS components,” said Samir Marwaha, Chief Strategy Officer, Sandvine.

SigScale

“SigScale believes Nephio could be instrumental in achieving a management continuum across multi-cloud, multi-vendor networks,” said Vance Shipley, CEO, SigScale.

Vodafone

“Building, deploying, and operating Telco workloads across distributed cloud environments is complex, so it is important to adopt cloud native best practices as we evolve, to enable us to achieve our goals for agility, automation, and optimisation,” said Tom Kivlin, principal Cloud Architect, Vodafone. “Project Nephio presents a great opportunity to drive the cloud native orchestration of our networks.  We look forward to working with our partners and the Nephio community to further develop and accelerate the simplification of network function orchestration.” 

Wind River

“As active supporters and contributors of key telco cloud-native open source projects such as StarlingX and the O-RAN Alliance, Wind River is excited to join Nephio. Nephio’s mission of simplifying the deployment and management of multi-vendor cloud infrastructure across large scale deployments is directly aligned with our strategy,” said Gil Hellmann, vice president, Telecom Solutions Engineering, Wind River. 

About Nephio

More information can be found at www.nephio.org.

About the Linux Foundation

The Linux Foundation is the organization of choice for the world’s top developers and companies to build ecosystems that accelerate open technology development and commercial adoption. Together with the worldwide open source community, it is solving the hardest technology problems by creating the largest shared technology investment in history. Founded in 2000, The Linux Foundation today provides tools, training and events to scale any open source project, which together deliver an economic impact not achievable by any one company. More information can be found at www.linuxfoundation.org.

#####

The post Nephio Sees Rapid Growth as More Organizations Commit to Simplify Cloud Native Automation of Telecom Network Functions appeared first on Linux Foundation.

Speaking this morning at The Linux Foundation's Open-Source Summit, Linus Torvalds talked up the possibilities of Rust within the Linux kernel and that it could be landing quite soon -- possibly even for the next kernel cycle...

Linus Torvalds: Rust For The Kernel Could Possibly Be Merged For Linux 5.20  Phoronix

How to install the Etherpad collaborative note-taking platform on Linux  News Update